Terms, definitions, abbreviated terms and conventions – OPC Unified Architecture

3 Terms, definitions, abbreviated terms and conventions

3.1 Terms and definitions

For the purposes of this document, the terms and definitions given in OPC 10000-1 and the following apply.

3.1.1 AccessRestriction

limit on the circumstances under which an operation, such as a read, write or a call, can be performed on a Node

3.1.2 AccessToken

digitally signed document that asserts that the subject is entitled to access a Resource

3.1.3 ApplicationInstance

individual installation of an OPC UA program with a globally unique identity

3.1.4 ApplicationInstanceCertificate

Certificate that uniquely identifies an individual ApplicationInstance

3.1.5 ApplicationUri

a globally unique identifier for an OPC UA Application running on a particular device

3.1.6 Asymmetric Cryptography

Cryptography method that uses a pair of keys, one that is designated the Private Key and kept secret, the other called the Public Key that is generally made available

Note 1 to entry: ‘"Asymmetric Cryptography". Is an Asymmetric Encryption algorithm when an entity “A” requires Confidentiality for data sent to entity “B”, then entity “A” encrypts the data with a Public Key provided by entity “B”. Only entity “B” has the matching Private Key that is needed to decrypt the data. In an asymmetric Digital Signature algorithm when an entity “A” requires message Integrity or to provide Authentication for data sent to entity “B”, entity A uses its Private Key to sign the data. To verify the signature, entity B uses the matching Public Key that entity A has provided. In an asymmetric key agreement algorithm, entity A and entity B each send their own Public Key to the other entity. Then each uses their own Private Key and the other's Public Key to compute the new key value.’ according to IS Glossary.

3.1.7 Asymmetric Encryption

mechanism used by Asymmetric Cryptography for encrypting data with the Public Key of an entity and for decrypting data with the associated Private Key

3.1.8 Asymmetric Signature

mechanism used by Asymmetric Cryptography for signing data with the Private Key of an entity and for verifying the data’s signature with the associated Public Key

3.1.9 Auditability

security objective that assures that any actions or activities in a system can be recorded

3.1.10 Auditing

tracking of actions and activities in the system, including security related activities where Audit records can be used to review and verify system operations

3.1.11 AuthenticatedEncryption

encryption scheme which simultaneously assures the data confidentiality and authenticity

3.1.12 Authentication

process that assures that the identity of an entity such as a Client, Server, Publisher or user can be verified

3.1.13 Authorization

ability to grant access to a system resource

3.1.14 AuthorizationService

Server which validates a request to access a Resource returns an AccessToken that grants access to the Resource

3.1.15 Availability

security objective that assures that the system is running normally. That is, no services have been compromised in such a way to become unavailable or severely degraded

3.1.16 Certificate Authority

entity that can issue Certificates, also known as a CA

3.1.17 CertificateStore

persistent location where Certificates and Certificate revocation lists (CRLs) are stored

3.1.18 Claim

statement in an AccessToken that asserts information about the subject which the Authorization Service knows to be true

3.1.19 Confidentiality

security objective that assures the protection of data from being read by unintended parties

3.1.20 Cryptography

discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification

3.1.21 Cyber Security Management System

program designed by an organization to maintain the security of the entire organization’s assets to an established level of Confidentiality, Integrity, and Availability, whether they are on the business side or the industrial automation and control systems side of the organization

3.1.22 Diffie Hellman Key Exchange (DH)

mechanism for negotiating a shared secret between two parties that can be used for secret communication for exchanging data over a network

3.1.23 Digital Signature

value computed with a cryptographic algorithm and appended to data in such a way that any recipient of the data can use the signature to verify the data’s origin and Integrity

3.1.24 Elliptic Curve Cryptography (ECC)

Asymmetric Cryptography method that uses a pair of keys calculated from the mathematical structure of elliptic curves over finite fields

3.1.25 Hash Function

algorithm for which it is computationally infeasible to find either a data object that maps to a given hash result (the "one-way" property) or two data objects that map to the same hash result (the "collision-free" property)

3.1.26 Hashed Message Authentication Code

MAC that has been generated using an iterative Hash Function

3.1.27 Integrity

security objective that assures that information has not been modified or destroyed in an unauthorized manner, see IS Glossary

3.1.28 Identity Provider

Server which verifies credentials provided by a Security Principal and returns a token which can be passed to an associated Authorization Service

3.1.29 Key Exchange Algorithm

protocol used for establishing a secure communication path between two entities in an unsecured environment whereby both entities apply a specific algorithm to securely exchange secret keys that are used for securing the communication between them

3.1.30 Message Authentication Code

short piece of data that results from an algorithm that uses a secret key (see Symmetric Cryptography) to hash a Message whereby the receiver of the Message can check against alteration of the Message by computing a MAC that should be identical using the same Message and secret key

3.1.31 Message Signature

Digital Signature used to ensure the Integrity of Messages that are sent between two entities

3.1.32 Non-Repudiation

ability to prove the occurrence of a claimed event or action and its originating entities

3.1.33 Nonce

random number that is used once typically by algorithms that generate security keys

3.1.34 Permission

right to execute an operation, such as a read, write or a call, on a Node

3.1.35 Private Key

secret component of a pair of cryptographic keys used for Asymmetric Cryptography

3.1.36 Public Key

publicly-disclosed component of a pair of cryptographic keys used for Asymmetric Cryptography

3.1.37 Public Key Infrastructure

set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Certificates based on Asymmetric Cryptography

3.1.38 Resource

secured entity which an application accesses

3.1.39 Rivest-Shamir-Adleman (RSA)

algorithm for Asymmetric Cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman, see IS Glossary

3.1.40 Role

function assumed by a Client when it accesses a Server

3.1.41 SecureChannel

communication channel that ensures the confidentiality and/or integrity of all messages exchanged between a Client and a Server

3.1.42 SecurityGroup

Publisher(s) and Subscriber(s) that utilize a shared security context

3.1.43 SecurityKeyService

Server that accepts AccessTokens issued by the Authorization Service and returns security keys that can be used to access the specified Resource

3.1.44 Symmetric Cryptography

branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification)

3.1.45 Symmetric Encryption

mechanism used by Symmetric Cryptography for encrypting and decrypting data with a cryptographic key shared by two entities

3.1.46 SymmetricKey

shared key used by Symmetric Cryptography for encrypting and decrypting data

3.1.47 Symmetric Signature

mechanism used by Symmetric Cryptography for signing data with a cryptographic key shared by two entities

3.1.48 TrustList

list of Certificates that an OPC UA Application has been configured to trust

3.1.49 Transport Layer Security

standard protocol for creating SecureChannels over IP based networks

3.1.50 X.509 Certificate

Certificate in one of the formats defined by X.509 v1, 2, or 3

3.2 Abbreviated terms

AES	Advanced Encryption Standard
CA	Certificate Authority
CRL	Certificate Revocation List
CSMS	Cyber Security Management System
DNS	Domain Name System
DSA	Digital Signature Algorithm
ECC	Elliptic Curve Cryptography
ECDH	Elliptic Curve Diffie-Hellman
ECDSA	Elliptic Curve Digital Signature Algorithm
GDS	Global Discovery Server
HMAC	Hash-based Message Authentication Code
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
JSON	JavaScript Object Notation
JWT	JSON Web Token
MAC	Message Authentication Code
NIST	National Institute of Standard and Technology
PKI	Public Key Infrastructure
RSA	Rivest, Shamir, Adleman, public key algorithm for signing or encryption,
SHA	Secure Hash Algorithm (Multiple versions exist SHA1, SHA256,…)
SKS	Security Key Server
SSL	Secure Sockets Layer
TLS	Transport Layer Security
TPM	Trusted Platform Module
UA	Unified Architecture
UACP	Unified Architecture Connection Protocol
UADP	Unified Architecture Datagram Protocol
URI	Uniform Resource Identifier
USB	Universal Serial Bus
XML	Extensible Mark-up Language

3.3 Conventions for security model figures

The figures in this document do not use any special conventions. Any conventions used in a particular figure are explained for that figure.